AWS dms documentation change
Summary
Added section on using KMS keys to encrypt files with example IAM policy for DMS Serverless premigration assessments
Security assessment
The change adds documentation about configuring KMS encryption for data during premigration assessments, which enhances security by describing how to use customer-managed keys. However, there is no evidence of addressing a specific existing vulnerability.
Diff
diff --git a/dms/latest/userguide/CHAP_Serverless.Premigrations.md b/dms/latest/userguide/CHAP_Serverless.Premigrations.md index 076110886..7af39eeba 100644 --- a//dms/latest/userguide/CHAP_Serverless.Premigrations.md +++ b//dms/latest/userguide/CHAP_Serverless.Premigrations.md @@ -5 +5 @@ -Limitations +Using KMS key to encrypt filesLimitations @@ -29,0 +30,18 @@ AWS DMS Serverless provides the following optional settings to support pre-migra +## Using KMS key to encrypt files + +To configure `SSE-KMS` for DMS Serverless premigration assessment with a customer-managed key, add a policy statement that grants the DMS service-linked role on your KMS key, enabling secure encryption and decryption of data during the assessment process. You must configure the `kms:GenerateDataKey` and `kms:Decrypt` permissions. See the example below: + + + { + "Sid": "AccessForDMSServerlessPremigration", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::<CustomerAccountId>:role/aws-service-role/dms.amazonaws.com/AWSServiceRoleForDMSServerless" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey*" + ], + "Resource": "*" + } +